What's it like to be hacked? James Fallows over at the Atlantic Monthly tells us his experience. One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible!

Though, @XKCD, combinations of common words can easily find their way into password cracking tools - one might throw in some sparse symbols and/or an uncommon* word.

*as in, ~"private" ...nicknames, local dialects, and such (NOT only such words, I'm not saying that / too meaningful whole passwords is what in turn makes pass guessing by humans relatively easy).
I've actually googled righ now an old ~nickname of sorts of my father - no hits, ZERO (it merely suggested one somewhat-but-not-really similar sounding - and only when pronounced in some Slavic language - word from the region)

People do get accounts hacked out of either lack of knowledge, laziness or stupidity. While I can excuse lack of knowledge, I can't excuse laziness and stupidity.

The accounts and devices I really care about are protected reasonably (some e-mail, facebook, twitter, forums, websites, game, banking, hosting accounts, my computer at work). I use good passwords and use a different one for each account. I don't use builtin security questions, I use my own. Answers to security questions can't be found on web because they are like passwords: just some letters and numbers.

Accounts which I consider not very important may share the same simple password. My home computer and my laptop aren't given too much attention security wise, because I don't care too much about whatever data may be found on them.

They can't really blame google because, as they say, only a minority of users get accounts hacked and it would be much better to direct resources in areas that would benefit more.

Its an app that generates the code locally. The device need not have a google account attached to it in any way for the app to work. Nor does it need to be a phone or have internet access. I'm not sure the exact algorithm they use to generate the One time password, but there are a few of them out there.

If any of your friends has an Android phone they have probably linked your real name with your phone number and your email address already, anyway. And maybe also your home address, work contact info and a photograph.

I guess they added it quite recently and/or my account was slow to get that update? ...I think I would notice "show Chats in IMAP" option, I rely quite a lot on labels and manipulate them often.
It was ~inadvertently on at the start of IMAP availability, but with some unpredictable results. Quickly removed and remaining that way for quite some time.

And so, the world is more at peace... For me, it's also about offline searches being much faster - particularly since Gmail search has, for some reason, a bit primitive treatment of diacritics and "part word" searches (invaluable in languages with complex declension and such)

If the author is wondering how her password was hacked, the first thing that sprung to mind was Firefox's "Show Passwords" field. Any saved password is stored without encryption by default, and is thus visible by anyone. She used a public terminal at an airport...perhaps Firefox had been set to store all passwords and it was accessible that way. Just a first thought.

I guess this is also an example of why regular, archived backups are needed. Relying upon the fact that emails are reliably stored by Google hardware is insufficient, since it doesn't allow for human error (or malicious attacks), or even a major bug in a future version of GMail. Perhaps Google could offer long-term archived storage of emails for those who want it - that way, if your main account is compromised and all emails deleted by the user, then you can still access a backup. However, it would be safer for most businesses to store backups with an independent provider, in case Google messes up. The easiest way most people can avoid this problem is to get an email client and download everything onto your PC, then copy emails onto an external hard-disk or use your regular on-line backup.

One night his wife left her computer on when she went to bed. The next morning she discovers her Gmail account is inaccessible!

Sorry, but what's the cause and effect here? Is he implying that it got hacked because she left her computer on?

But from Google’s engineering perspective, the deleted-mail problem, while dire for those confronting it, affected only a tiny fraction of their users, and also was more complicated to solve than some other mainstream usability issues.

I doubt this is the perspective of the engineering team. This is a business decision, not en engineering decision. Obviously someone in management decided it was more important with lean interface than spending time and money creating a solution that few users will ever need.

What Fallows learned the hard way is that the online services we assume will protect us look for us to protect ourselves.

(and Steam allowed to make DVD backups, last time I tried? ...nless you mean DRM - yeah, that could potentially be a problem; OTOH, I think Valve said they would unlock it if ever going under)

So if you make a DVD backup of a steam game, then your steam account is wiped for some reason, you can still play your game ? I believed it was not possible because it would allow - shock, horror - letting relatives use your copies of the game.

Alright. I guess I overestimated the impact of these DVD backups you mentioned, then. I believed that they did more than avoiding long downloads when a gaming computer's hard drive dies. If not, I don't see the point in making them if you have broadband and regular PC backups.

The problem I see with Steam (and other application stores) is that if, for some reason (bug, Valve diktat, compromised account), you lose your usage rights on a piece of software, it's gone. You cannot use it anymore, and there is little chance you will recover the right to use it. There is no way you can make a backup of your right to play a Steam game, if you see what I mean.

Can you easily download all your mail from hotmail, through a standard protocol such as POP or IMAP, or do you have to use a hotmail-specific workaround to do that ? Last time I checked, it was the latter, but that was arguably a long time ago.

Same for wordpress.com (which is different from a self-hosted Wordpress blog). I'm honestly interested if there is a simple way to download the database of a blog that is hosted there. I believe I have carefully checked the dashboard for this without finding anything.

EDIT : Nevermind for wordpress.com. Tools->Export->Export. Guess I did not look hard enough, I was pretty sure I had checked everything...

Yes, Hotmail does have pop3 access, I use it all the time. Most of the email clients I have used including Thunderbird, Outlook/Express and Evolution set up the account automatically when you enter Hotmail as an account in settings.

This wasn't the case last time I used Hotmail (a few years ago now), so it must be a relatively recent upgrade, perhaps around the time their inboxes suddenly got huge... I even asked their helpdesk at the time, only to be helpfully told that the only way to use Hotmail offline was to download Outlook Express and use that, even though I'd told them I was using Linux...

I had my gmail account stolen by a homonymous guy. He just used the "Someone else is using my account" procedure. I know for sure, because I've been able to talk to that guy afterwards. Even the guy was somewhat surprised the procedure worked so easily.

I got my account back using the same procedure, in a matter of hours, just to discover that all my email was gone.

I tried to contact Google about the issue, but even after finding a way to, maybe, contact them via email, I received no answer at all. I tried to contact Google about the easiness for someone else to steal an account too, but didn't get an answer.

All my previous email was gone. Now I perform regular backups myself, using IMAP, and this is for a simple reason: I don't trust Google and its services. Their services are usually not bad, they're cheap too and I don't hate them at all.

However, after that issue with them, I learnt that they don't provide any easy way to contact them beyond web forms for usual (and usually trivial) problems. They keep users at a distance. They don't care about their users and their users' data, unless their image (thus their business) would get hurt. In my experience, they're the most careless company in IT.

I think they're not evil, as they like to remember all the time. But they're not good either, they're just as any other company in the business. Just a bit more careless than direct competitors in my opinion...

I think you've hit on a HUGE problem. The trend in the cyber-world we've created is that the LAST thing big companies want is to be bothered by their customers. So they deal with them only by email and keep them at arm's length.

Maybe it was this guy's fault he got hacked, or maybe not, but what kind of "service" has Google provided to help him? Hardly anything. You can argue that Gmail is free, but this sort of attitude is prevalent even when you pay for services.

It is unreasonable to expect the average user to handle this unless you provide very easy ways for them to backup and/or recover their data themselves. Google doesn't. It's not part of the business model. One issue is that most users quite naturally assume it is. If Google publicly said this they'd be off the hook, but I've sure never heard them mention this in their self-promotional infomercials.

This article could be sub-titled a la "What it's like to be hacked - or why you should never store important data (without your own an offline backup) using SaaS controlled by a third-party, ESPECIALLY if it's a free service where the provider isn't accountable to you in any way".

Excellent point. The problem is that so many people naively assume that companies offering free services like Gmail or Facebook or whatever always have the best interests of the consumer at mind. People on this board are smart and know this but I feel sorry for the average consumer guy who has no clue. And nobody's telling him either. Hope all those literary people who know nothing about the computers they depend on for their jobs read that guy's experience at the Atlantic.